ast/insecure-websocket-protocol
WebSocket opened over cleartext ws:// instead of wss://
What it detects
new WebSocket("ws://...") opens an unencrypted connection. Any cookie sent during the handshake, every message body, and any token in the URL travels in cleartext — trivially readable on shared Wi-Fi, hotel networks, or anywhere a network device sees the bytes. Switch to wss:// and terminate TLS at the same gateway as your HTTPS traffic. For local development behind localhost, gate the protocol on process.env.NODE_ENV so production code paths never reach the ws:// branch.
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.